SOLVED

Some sign-in logs are missing.

Contributor

Greetings, I have a technical question about log gathering in Sentinel.

 

I am currently setting up an alarm for when there has been attempted more than 5 login attempts for users against the azure portal. I have then gone ahead and failed the login 5 times for a user and can see these logs in AAD sign-in logs.

However, in Azure Sentinel sign-in logs i have only 3 events of this happening. Not 5, so the alarm wont go off. Is there some setting i need to tweak for it to send over all the logs and not just parts of it?

2 Replies
best response confirmed by stianhoydal (Contributor)
Solution
Have you written this yourself, or used one of the Github examples, like this one? https://github.com/Azure/Azure-Sentinel/blob/45da87dec250017c0fd45cb55842e6d6cde8f1ee/Detections/Sec...

If you have 3 rows, its likely the other two rows of data are delayed, or the query needs altering to detect them, can you share the query?
It seems they were, as you said, delayed.